Vice President and CIO David Finn of Houston-based Texas Children’s Hospital discusses how his IT team ensure the availability, security and privacy of the hospital’s information.

Privacy, Security, Protection

Several years ago, Texas Children’s Hospital began developing a plan to address the standards of the Health Information Portability and Accountability Act (HIPAA). This provided an opportunity to link privacy and security in a central office.

Frequently, privacy concerns are managed by either the compliance or medical records department, while security issues are generally the purview of the information technology group. Because it is impossible to have privacy unless you also have security, tying the two together from an operational and enforcement perspective created significant synergy at our hospital.

As the technology and threat landscape changed, we leveraged advances in security to harden our perimeter and automate security processes in order to ensure that sensitive information would be handled appropriately. At the same time, our infrastructure became more complex. After all, we are more than a hospital; we are an integrated delivery system that comprises a variety of organizations and services. This complicates the challenges of safeguarding privacy and security.

What’s more, we’re also an academic medical center, so we have a lot of visiting faculty and researchers who must be able to access and share information with other researchers in formal presentations and informal meetings. To guard against data leakage and help ensure data integrity, our team must know who is accessing information, when they are accessing it and what they are doing with it.

To achieve those goals, we are implementing Symantec’s endpoint protection and data-loss-prevention technologies. The firewall, anti-virus, anti-spyware, intrusion prevention and other security technologies of the endpoint protection solution help keep malicious code and activity out of our enterprise, while the data-loss-prevention technology helps keep confidential information from leaving the hospital system.

This project is just the latest in a series of security-related activities for Texas Children’s Hospital. For example, two years ago, we added Symantec’s Security Information Manager to our toolkit to help us collect, store and analyze security log data, as well as to monitor and respond to security events in order to meet compliance requirements. A year before that, we deployed the vendor’s Enterprise Security Manager to define and measure our efforts in meeting security policies and standards, along with its DeepSight Threat Management System services to stay apprised of the latest threats on the global horizon.

Since then, we have seen a 93 percent decrease in infected systems and a significant reduction—almost 700 hours per month—in the time required to compile audit reports and remediate security incidents.

These security practices and tools will become even more critical as our caregivers and patients become more mobile. Soon, we’ll see doctors using their smart phones to access medical records and patients using their phones to send heart readings and the like directly into their medical records.

What will never change, however, is the importance of keeping that information safe and available, as well as our commitment to doing all we can to make that possible, even as our IT environments become more complex and sophisticated.

At Texas Children’s Hospital, every individual and organization is dedicated to delivering optimal care to the millions of children who come through our doors. And our IT initiatives and professionals are focused on making sure the technology infrastructure and processes that support and help enable quality care are the best they can be.

Our ultimate goal is to ensure that all the children who come to our hospital leave stronger, better and healthier.